Implementing PKI authentication

The BMC Server Automation Authentication Server can use public key infrastructure (PKI) to authenticate users who present a type of smart card known as a common access card (CAC). Through ActiveClient middleware, a BMC Server Automation client can access the appropriate certificate and private key on the smart card to authenticate the user.

To verify that a certificate is currently valid, the Authentication Server can access an OCSP Responder. By default, OCSP verification is enabled for PKI authentication. For more information about setting up OCSP, see Setting-up-certificate-verification-using-OCSP.

While logging into a BMC Server Automation client, the user must insert a smart card into a card reader and enter a PIN. If the information the user enters is valid and the OCSP Responder verifies the validity of the user's certificate, the Authentication Service issues the client a session credential.

BMC Server Automation does not provide a default set of trusted CA certificates for use with PKI authentication. If you are implementing PKI, you must obtain certificates from a CA.

For a procedure describing how to set up PKI authentication, see Configuring-PKI-authentication.

Note

In this release, PKI authentication is not supported by the BMC Server Automation Console on 64-bit Windows systems. On a Windows 64-bit system, install and use the 32-bit BMC Server Automation Console.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*